There is no even remotely good alternative to using cookies for maintaining state on your site. How exactly would you achieve something like logging in and using the site without cookies?
–
Charles BoyungAug 23 '11 at 5:04

Session id in url + session object in DB or other storage. But it requires expensive (in some cases) synchronization for the distributed storage.
–
SergeyAug 23 '11 at 20:28

So you're going to append that session ID to every URL in your site when rendering? And URLs from external sources (like, for example, emails that you send your users) will not keep them logged in. Like I said, there is no remotely good alternative to cookies for maintaining state. There are plenty of BAD alternatives, but none that are good.
–
Charles BoyungAug 23 '11 at 21:11

Also, you should be storing most things in the DB or other storage anyways for a session. Passing everything back and forth via cookies is both insecure and resource intensive.
–
Charles BoyungAug 23 '11 at 21:12

2 Answers
2

In practice? I suppose it'd be near-impossible to argue against a yes answer to your initial question.

Fig. A: Gmail, Attempting to sign into Gmail with cookies disabled in your browser will return some form of this message:

Your browser's cookie functionality is turned off. Please turn it on.

A quick trip around the internet will invariably agree that you may rely on cookies to handle/assist in logging a user in, for example. At this point (arguably to our detriment) cookies have found a pretty comfortable spot in our codebases.

There are a lot of different ways to look at this, but I'd recommend an approach of "graceful degradation" where cookies are used in ways to improve the user experience but not in a way where the site does not work at all if they are missing.

It seems like you're already concerned about this, based on the way you're writing up this question. If you think some of your users won't have cookies enabled (which is likely) , don't design a solution to completely exclude them. However, if you can make it better for everyone else- go for it.

Exactly how do you propose maintaining state for a user without some form of cookies enabled? I also disagree with your belief that some users won't have cookies enabled - cookies are ubiquitous with web browsing at this point. Ten years ago, maybe not, but now, definitely.
–
Charles BoyungAug 23 '11 at 5:03

Given the OP's concern, I was assuming he or she had some basis to believe a non-trivial number of users would be impacted by disabled cookies. I agree they are very well established these days, although there are some interesting new EU laws that may make cookies legally sketchy choices.
–
RainAug 24 '11 at 5:03

Then I ask you the same thing as I asked the OP - exactly how do you propose maintaining state in a web application without cookies? There is no other solution that is even close to a good solution.
–
Charles BoyungAug 24 '11 at 13:07